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Abstract 

f\/ ' Biometric authentication systems are presented as the best way to reach 

r \ , high security levels in controlling access to IT systems or sensitive infras- 

^^ ' tructures. But several issues are often not taken properly into account. In 

5j , order for the implementation of those systems to be successful, the hid- 

den risks and the related liabilities have to be carefully analyzed before 
biometrics can be used on a large scale for sensitive applications. 
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1 Introduction 

Access control to Information Technology (IT) systems or to sensitive infras- 
tructure is a basic tool of security management, keeping the bad guys away from 
C^ . vital data, bank accounts or top secret military projects. Till few years ago ac- 

cess control was based almost exclusively on some secrets, typically a password, 
shared by the person willing to access and the system to be accessed. But pass- 
words can be guessed or, being hard to remember, written down on a piece of 
paper, easy to get stolen or lost. 

With the flourishing of online services and the related boom of frauds and 
identity thefts a more robust access control system has become necessary. For 
a while the new paradigm was the so called strong (or two-way) authentication: 
something to know and something to own. In order to access the user needs to 



'Disclaimer: The views expressed in this paper are solely the author's and should not be 
attributed to his employer 



know a personal code and to keep some physical token under his/her sole control, 
a one-time-password generator or a smart card or a USB token protected by a 
Personal Identification Number (PIN). Surely more secure, since losing the token 
is almost harmless being it useless without the corresponding access code (PIN). 
Nevertheless it obliges the loser to stay for a while without access capability 
and to enroll for a new token. So authentication based on biometric systems 
(the use of a physical or behavioural personal feature) has gained momentum, 
pushed by smart marketing slogans: authentication based on a personal feature 
that can never be lost, stolen or forgotten. Therefore biometrics is now sold as 
the silver bullet, the ultimate solution to overcome the annoying aspects of the 
authentication process. 

But is biometrics really so effective? Are the hard facts supporting the 
promises of biometrics? 

In the following we will try, without any claim of thoroughnessp to look at 
some often neglecteco aspects which suggest some cautions when evaluating an 
access control system based on biometric techniques. 

2 Access Control: Some basic concepts 

Let us start with some definitions. The basic concepts are: authentication and 
identification. 

authentication: the process of checking the validity of an identity claim by 
matching a credential against a set of reference values p 

identification: the process of searching the entire set of possible identities in 
order to find the right one matching the measured feature. 

More formally, given a reference set R of pairs (user-id, secret) 

R = {(ni, Si), {U2, S2), ...{Un, s„)} , 

the authentication process challenges the user claiming to be Ui to enter the 
corresponding secret Sj. Then the secret s' entered by the would-be user is com- 



^See [Ij for a more complete treatment. 

^In fact most issues addressed in the present paper have been analyzed and taken into 
account in the biometric scientific literature (see |T and chapter 1 of ,2 ) but overlooked in 
the documents addressed to the managers in charge of taking decision, obviously non specialist 
readers. 

''often called verification in biometric literature. 



pared to the corresponding stored value. If there is a match (sj = s'), the claim 
is accepted and access is allowed, otherwise it is denied. Pretty deterministico 

Identification is a bit more complicated. Again, given a stored set of pairs 
{user-id, distinguishing feature), the identification process looks up in the ref- 
erence set if there is a distinguishing featurqj matching the presented one. A 
typical forensic example is the usage of fingerprints in order to identify the peo- 
ple involved in a crime. Identification is not used in the traditional systems and 
it is considered one of the best advantages of biometrics, allowing the credentials 
to be presented by the user automatically, sometimes unwillingly, e.g. by using 
face pictures taken by surveillance cameras in crowded areas. 

Another peculiarity of biometrics is the so called negative identification aim- 
ing to prove that a person, for example trying to get some benefits of the social 
security system using a fake identity, is not who he/she claims to be. Also this 
feature is not available in the traditional systems. 

The caveats discussed in next sections apply to all kinds of biometric appli- 
cations. 

3 Biometrics is different 

There is a number of important aspects that makes biometrics different from the 
traditional techniques but the most relevant is surely its probabilistic nature. 
In fact, several factors contribute to make biometrics not deterministic: 

• environmental noise when biometric data are collected, both at the enroll- 
ment and during the normal operation; 

• context of data acquisition: in a laboratory or into the wild; 

• cooperative (or not) approach by the end users; 

• natural changes in the biometric features: 

— faces change aging 

— fingerprints can be worn or modified by age, hard manual works or 
accidents; 

— voice changes with age and health status, e.g. if a person is running 
a cold; 



*In most cases only a cryptographically hashed digest of the secret is stored on the server 
site, so leaving an extremely small chance of secret collisions (for an introduction see [3]). 
^Obviously assuming that the feature (or a set of them) is unique. 



— handwritten signature changes. 

All these changes occur in a way substantially unpredictable; so a system based 
on them shall cope with results that are different each time. In order to do it 
the system shall compute a similarity score S between the stored reference value 
and the measured one. Then that score is compared with a predefined threshold 
T in order to decide whether accept (when S > T) or reject the user credentials. 
The higher the score, more likely the measured sample comes from the right 
person. Moreover, given the natural evolution of the features, the system shall 
also foresee a cyclic renewal of the reference sample against which the comparison 
is made. 

The aleatory nature of biometric data changes the way we evaluate if such 
a system is suitable for our purposes. In other words, if it fulfils the required 
specific discriminatory power. To deal properly with that issue we need to recall 
a bit of theory of probability. 

In fact, some misunderstandingqj about some basic concepts of such theory 
can lead to totally wrong evaluation of the real effectiveness of the device under 
study. 

3.1 False match rate and false non match rate 

The more 'serious' suppliers of biometric terminals, trying to underpin the amaz- 
ing statements about the performances of their products, highlight two typical 
parameters to characterize the devices: false match rate (FMR) and false non 
match rate (FNMR)!!! 

• FMR is defined as the probability that there is a match between the refer- 
ence credential and a false presented one; in other words it is the probability 
that the device allows the access if the user is a fake; 

• FNMR is defined as the probability that there is no match between the 
reference credential and the true presented one; in other words it is the 



^Sometimes also skilled scientists make mistakes! [4] 

^FMR and FNMR are both functions of the threshold T. Generally speaking, FMR(T) 
increases lowering T, that is making the system more tolerant, while, on the contrary, FNMR(r) 
increases making the system more restrictive, i.e. increasing T. So a trade off between the two 
parameters has to be found. Another parameter used quite often is the Equal Error Rate 
EER that is the value at the threshold such that FMR(T)=FNMR(r). Other parameters are 
available and can be important. If, for example, the system can be tuned in order to adjust 
FMR and FNMR to the system's scope, the Receiver Operation Curve ROC, plotting FMR 
vs (1-FNMR), becomes relevant. Although important when implementing a real system, ROC 
and other available parameters will not be addressed here. This choice does not affect the 
conclusions of this paper. 



probability that the device denies the access if the user is a legitimate 
one. 

In the theory of probability these are named conditional probabilities, the 
condition being in boldO 

However, neither FMR or FNMR correspond to what we are really interested 
in, that is the probability that the user is legitimate (or a fake) if the credential 
is accepted. To get this number we shall perform a so called probabilistic 
inversion that, to avoid trivial mistakes, has to be done according to the rules 
of the probability theory. As we will see with a simple numerical example, 
FMR = 0.001 DOES NOT MEAN that the probability that a fake is allowed to 
access the system is l%o. There are in fact other 'ingredients' to be taken into 
account and we need now to take a detour in the theory of probability. 

4 The probabilistic inversion and how it depends on 
the 'sample population' 

Let us start introducing a bit of notation. 

Be A the event access allowed and F the event fake credential. Be A and 
F the logical complements: access not allowed and valid credential, respectively. 
With this definition our FMR and FNMR become: 

FMR: P{A\F) 

FNMR: P(A\F) 

In fact, the right expression should be P{A \ F, I) where / indicates the knowledge 
status about 'the rest of the world' (see note [8]); nonetheless, for the sake of 
simplifying the notation, / will not stated explicitly in the following. 
As said before, these two probabilities should not be confused, as it is often the 
case (see e.g. [5]), with what we are ultimately interested in: 

probability of allowing legitimate access (LA): P{F\A) 

probability of denying illegitimate access (NLA): P{F\A). 



*In fact EVERY probability is conditional to the application context and the knowledge 
status of the person assigning it a value. Even the probability | to obtain a head tossing the 
classical coin implies the unspoken hypotheses that the coin is fair and that we can ignore the 
probability of the coin stands on its edge. The conditional probability to events and facts not 
strictly related to the problem under examination is called a priori. For a relatively short but 
complete introduction see Ref. [S]. 



It is then crucial to learn how LA and NLA are related to FMR and FNMR. 
We are talking about probability inversion and the tool to perforin this logical 
operation in the framework of probability theory is called Bayes ' theorem. 

4.1 Conditional probabilities and Bayes' theorem 

Let us remind this very simple result of probability theory. Given two generic 
events E and C, where C is a possible cause for E, the conditional probability 
P{E I C) is the probability of event E assuming that event C occurredo The 
Bayes' theorem tells us how to go from P{E \ C) to P{C \ E), i.e. the probability 
that C is in fact the cause of the event E. This is indeed the problem we have 
to solve in order to evaluate the effectiveness of our biometric device. 
In its text-book version Bayes' theorem states: 

PiClE) = P(E\C}-PiC)_ _ 

P{E I C) ■ P(C) + P{E I C) ■ P{C) 

where P{C) is the a priori probability of event C, i.e. the probability of the 
occurrence of event C without any information about that of event E. 

Without making things too complicate, we can spot the too often neglected 
point: 

The probability of interest depends on prior probabilities 

In our case it means that in order to evaluate the probability of LA, we must 
have a sound estimate of the probability that a person, randomly selected in the 
population under scrutiny, is not a fake. 

4.2 A numerical example 

Let us make the example of a population of 1000 people, e.g. that of a medium 
size company, and let us assumq^ that just a single person could have some 
reasons to act against the company and would be interested in selling sensitive 
data to a competitor. That is 

P {'unfaithful employee') = P{F) = 0.001. (2) 



In other words, in these terms of cause and effect, P{E \ C) is the probabihty of C to 
produce E, while P{C \ E) is the probability of E to have been produced by that cause, 
'^"e.g. on the basis of historical or literature data. 



Furthermore, let us suppose we have an access control system based on biometrics 



witlJ"' 



FMR = 0.001 (3) 

FNMR = 0.001. (4) 



that is 



F) = l- 


- P{A \F) = 1- FMR = 


= 0.999 


(5) 




P(F) = 1 - P{F) = 


= 0.999 


(6) 




P(A 1 F) = FNMR = 


= 0.001 


(7) 



Applying Bayes' theorem, we find that the probability P{F \A) that the user is 
a fake if he/she is not allowed to enter the system, given bvri 

NLA = P(F|A) = _ P(A\F).Pi_F)_ 

^ ' ^ P{A\F)- P{F) + P{A I F) ■ P{F) ^ ' 

is just 50%!! In other words, half of accesses denied should have been allowed 

instead. 

The following table shows how the final probability changes varying the priors 

by orders of magnitude 



P{F) 



0.001 
0.01 
0.1 



p{f\a: 



0.50 
0.91 
0.99 



Let us also see what happens if we increase both FMR and FNMR by one order 
of magnitude, i.e. FMR = FNMR = 0.01. The previous table becomes now 



^^Typical values for fingerprints, by far the most mature biometric technique, are an order 
of magnitude higher. Iris scanning is alleged to achieve better performance, but it is more 
expensive and not largely spread. 

^^It might be convenient to write the expression of NLA and LA in terms of the quantities 
of interest [and indicating P[F) simply as F], getting thus 

(1 - FMR) ■ F 



NLA 



(1 - FMR) ■ F + FNMR ■ (1 - F) 



^^ _ (1 - FNMR) . (1 - 7^) 



(1 - FNMR) ■ (1 - F) + FMR ■ F 



0.001 
0.01 
0.1 



P{F\A] 
0.09 
0.50 
0.92 



The conclusion is evident: the physical and logical environment where the system 
is planned to be installed are key issues to be taken into account before deciding 
if adopting a biometric authentication system and what should be its features 
and parameters o 

5 Other biometric issues 

5.1 Non-universality 

Biometric is related to physical or behavioural features. Before implementing 
such a system we have to ask ourselves: "What if some features are not owned 
by the whole population?" Voice recognition does not work with speech impaired 
people, there are people with unusable fingerprints, gait is not suitable for people 
on wheelchairs, face could be not available for religious reasons (see below). 
Alternative authentication mechanisms shall be in place for the persons that can 
not be measured]^ 

5.2 Biometric spoofing 

Even though biometrics refers to features strictly individual, they can be spoofed. 
In other words, someone can steal our data and our identity. Indeed, most of 
our biometric data are publicly available. We leave our fingerprints everywhere, 
our voice can be recorded any time, our face is always to the front. 

Years ago, the German hacker group Chaos Computer Club was able to 
take the fingerprints of the German Ministry of Interior Affairs W. Schauble, 
publishing 4000 copies as a thin plastic foilt£| ready to be pasted on fingers of 



^^For an elementary important application of Bayes's theorem in the much more serious field 
of cancer prevention see Ref. [6] 

^^In fact the usage of the so called multimodal biometrics (multibiometrics) , i.e. the usage of 
systems based on multiple biometric features has been proposed and analyzed by a theoretical 
standpoint. Nonetheless it does not seem to have reached the status of a mature product, likely 
because of the major costs that make multimodal systems not yet suitable for general purpose 
installations. 

^^ http://www.theregister.co.uk/2008/03/30/german_interior_ministerJingerprint_ 
[appropriat ed/ It has to be pointed out that the more sophisticated sensors are able to 
distinguish a real living finger from a plastic copy by sensing temperature, sweat or heart 
pulse. 



anyone wishing to be a Ministry for one day. 

While if a password or a digital certificate gets compromised we could change 
it, revoking it and issuing a new one, once a biometric datum is compromised 
the remediation could be quite hardjlj Therefore, how to manage the possible 
compromising of data shall be analyzed in advance, well before deploying the 
system, and the remediation steps already designed and operational when the 
system starts running in earnest. 

5.3 Data protection and identity thefts 

Another aspect often neglected in the CSI-stylc_| dissemination of biometrics 
regards the algorithm transforming the biometric features in raw (analog) data 
and then in the final byte string (the so-called template) stored in the device 
itself or in a centralized database. 

First problem: Biometrics is still ruled by proprietary solutions, kept secret 
and protected by patents. That bars an independent evaluation of the device 
performances and of its real capability to sift the fake users from the legitimate 
onesl^ We have to take for granted FMR and FNMR self-declared by the 
supplier. 

Second problem: Left aside FMR and FNMR, it is quite hard to prove, apart 
from the claims of the supplier, if the devices are really effective in securing 
biometric data against an unauthorized usagecj Even when using a match-on- 
card system^j where the template is stored in the device itself, maybe ensuring 
that no biometric database exists, quite often nothing is said about the security 
features protecting the template itselfo 

Third problem: the template is obviously a digest of the complete measured 
analog data set. Combining this point with the probabilistic nature of biometrics 
implies that, in a quite large population, the probability of collision becomes 
no more irrelevant. So, the probability that a biometric datum is attached to 
the wrong person becomes not vanishing, like in the famous case of Brandon 



^®We can not enroll more than ten fingers! 
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The popular crime drama television series (http://en.wikipedia.0rg/wiki/CSI:_Cri1ne. 



|Scene-I nvestigation ) portraying a bit unrealistically the forensics investigations 

^The generally deprecated security by obscurity. 

^® What happens if the template binary string is presented to the matching algorithm without 
the physical presence of the unaware owner of the original biometric data? How is this risk 
avoided? 

^° htt p : //www . matchonceird . com/ 1 

^^ Compare that situation to what is required (in many EU countries) for the Secure Signature 
Creation Devices (typically smart cards) to be used for the qualified electronic signature (iTjtSJ). 
They shall be formally certified against a suitable Protection Profile 9 by an officially accredited 
National Certification Body. 



Mavfieldr^l that was prosecuted for the Madrid terrorist attack on the basis of 
a DNA sampling by the U.S. Federal Bureau of Investigation, blindly trusting 
its technological tools. In this matter Spanish police, using more traditional 
methods and combining several bodies of evidenc^J put the real terrorists in 
jail. 

And what if someone steals the database where the templates are stored? 
What is the impact on the end users and what risks are they undertaking? 
Nowadays the identity theft is a really serious threat; making easier a villain 
puts the hands on our own features does not look a brilliant idea. 

5.4 Changing the scope 

On the basis of what has been discussed in the previous sections, a further 
important risk arises by carelessly extending the biometric authentication model 
to a wider and different context compared with the original which the system 
was designed for. A previously acceptable values of FMR and FNMR, thought 
for a small strongly characterized population set, can be quite unsuitable in a 
totally different environment. If, for instance, we put in place an authentication 
scheme based on face recognition, it is very different to identify or authenticate 
an employee in a set of some hundreds at most and use the same system in order 
to identify a person out of millions, maybe in the middle of a crowdo So, when 
we decide to implement a biometric system, the objectives and the borders of 
the system shall be clearly defined since the very beginning of the project design 
phase. In fact, a practice that should be followed when building any system. 

5.5 Social and cultural issues, privacy 

Besides security and technical issues, when implementing a biometric system we 
need to take into account also the social and cultural aspects. 

While there is almost no cultural hurdle to enter a code on a keyboard, using 
our own body can be at odds with traditional culture, religious prescriptions and 
similar. A typical example is the face. Sometimes women wear a veil for religious 
reasons; men may have bushy beards for religious or traditional habits, hiding 
most of the face distinctive features. A face recognition system could not work 
properly with them, because we can not force people to adapt their habits and 
principles to our technology; likewise it could not work properly with a person 



•^^http : //en . wikipedia . org/wik i/Braiidon_Mayf ield| 

^^See [5] again, comparing how the probability updates with a single evidence and with 
several pieces of evidence, each one less convincing. 

■^^Even human brains, well suited in recognizing faces, can be very uncertain about the 
identification, if a person is met in an unusual place, as it is quite a common experience. 

10 



enrolled with the spectacles when replaced with the contact lens because such 
change can dramatically alter the correspondence between the stored template 
and the real person under scrutiny. But also other systems have their drawbacks: 
religious beliefs can be at odds with DNA sampling, fingerprints make us feel 
uncomfortable and a bit criminal. All these issues can make hard using a specific 
biometric system on large scale, while relatively easy to set up in a limited 
context, with a reduced set of people, more or less willing to give away a digital 
part of themselves. 

It's not by chance that several Data Protection Authorities (at least in the 
EU) remarked the proportionality principle between the scope of an authentica- 
tion scheme and the means to implement it. By itself, this principle is obvious to 
anyone working with risk analysis, in Information Security or in Insurance, but 
it is not spread enough in other sectors, where too many are prey of astonishing 
promises peddled by smart sellers. 



6 Conclusions 

In order to fight the spread of the identity frauds we need to add new instruments 
to our security toolbox and biometrics can surely be one of them. Nevertheless 
biometrics can be part of a wider authentication system only after a careful anal- 
ysis of the scope and of the specific usage context. Such analysis shall take into 
account the alternative security measures and the risks of abuse and infringement 
of freedom and dignity. 

Any uncritical acceptance of proposals based on technology only, even if 
supported by some interesting benchmarks, shall be avoided. If the benchmarks 
themselves are missing, then we must be wary of the proposer's seriousness. 

All these consideration are especially important when a company supplies 
identification/authentication services. Introducing a biometric system means 
the company takes charge of all the risks quoted above. 

Too often, this risk engagement is not carefully evaluated as the present paper 
suggests. 
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